It’s Not Just Your Data That Hackers Are After

Sep 8, 2015

When you think of what hackers want, you probably think that they are after your most important financial data. However, security researchers have found that hackers are able to gain access to other pieces of important data on devices that you would never imagine could be hacked.

Security researchers from the University of California, San Diego, have recently discovered that some car security systems have vulnerabilities, and that hackers are able to remotely control vehicles via a simple text message. This is possible because of the small black dongles that are connected to the cars’ diagnostics ports. Once they have gained control, the hackers are able to remotely activate the vehicle’s windscreen wipers and most concerning, the brakes.

Ironically, these dongles were originally installed as a safety feature. Insurance companies and fleet operators installed them as a way of tracking the vehicles, as well as monitoring their fuel efficiency and the number of miles they were being driven. However, some researchers have discovered that if a particular command is texted to the dongle, it would be relayed to the car’s internal system.

Stefan Savage, a computer security professor and leader of the aforementioned research project said that in the process of reverse engineering the dongles, they “found that they had a whole bunch of security deficiencies.”

Interestingly, the dongles that were tested were all made by a company called Mobile Devices and were given to customers by US insurance company Metromile, as part of its pay-per-mile insurance plan. The company also distributes the dongles to Uber drivers for their bespoke insurance plans. The US government recently mandated that all federal bodies with fleets over 20 vehicles must install a similar type of dongle to monitor telematics, and this means that even more vehicles are at risk.

The dongles are thought to be completely safe until they are compromised. However, once the hacker has accessed the dongle they are able to control practically all features of the car, including the steering and the locks. As a result, no cars equipped with the devices are safe from the possibility of being remotely controlled by hackers.

According to the research, the vulnerability lies in the fact that the dongles were distributed in an insecure ‘developer mode.’ They were also configured to accept commands via text messages, meaning that it isn’t just coincidence that hackers are able to have quite so much control over vehicles.

Both Mobile Devices and Metromile were notified of the vulnerability, and wirelessly issued a patch to fix it. Mobile Devices also advised clients that their newer dongles were not at risk of such a hack. However, the researchers have reason to disbelieve this, as they found that thousands of the company’s newer dongles do indeed have the vulnerability, even as far afield as in Spain.

That said, the researchers warn that many other dongles of this type are also vulnerable to similar weaknesses. Insurance company Progressive was also found to have serious security flaws in the dongles that they provided. Likewise, personal telemetrics device Zubie was also found to have security faults. This means that even when you are not worrying about the safety of company data stored on your computer, you may have reason to be concerned about your own personal safety – it seems that hackers can access data from your vehicles, and that is very worrying indeed.